• 0 Posts
  • 12 Comments
Joined 2 years ago
cake
Cake day: June 12th, 2023

help-circle
  • TeddE@lemmy.worldtoLinux@lemmy.mlAntiviruses?
    link
    fedilink
    arrow-up
    0
    ·
    5 days ago

    Hard disagree - the point is a decade ago there wasn’t enough Linux market share for bad actors to target Linux. Proton is a compatibility layer, which while technically being a sandbox, it isn’t designed around security the way a browser sandbox is. It would not be hard for a virus embedded in a made-for-windows program to identify that it’s actually a proton sandbox, then deploy a Linux-specific payload (assuming the malware designer gave it some forethought for that situation). Heck - there’s plenty of viruses that do their work in scripting languages that don’t care what OS you’re running on.








  • It’s pretty much indisputably better for security.

    I dispute this. While adding extra layers of security looks good on paper, flawed security can be worse than no security at all.

    Android packages already have to be signed to be valid and those keys already are very effective in practice. In effect these new measures are reinventing the wheel as to what a layperson would think this new system does.

    Adding this extra layer in fact has no actual security benefit beyond posturing/“deterrence”. Catching a perpetrator is not the same thing as preventing a crime. Worse - catching a thief in meatspace has the potential to recover stolen goods, but not so in digital spaces - either the crime is damage or destruction of data for which no punishment undoes the damage or the crime is sharing private data which in practice would almost certainly have been immediately fenced to multiple data brokers.

    And were only getting started with this security theater:

    • Nothing prevents an organization from hiring a developer for long enough to register before being flushed (or the same effect with a burner account on fiver)
    • Nothing in this program does anything to get code libraries vetted - many of these developers may accidentally be publishing code from poisoned wells that they have no practical knowledge of.
    • None of these measures make scams less profitable.
    • None of this addresses greyware - software that could technically qualify as legal (because the user agreed to terms of service for a service of dubious value)
    • All of this costs time and resources that will likely inevitably be shouldered on low paid engineers that could have put that effort to better uses.
    • Metrics and statistics may likely be P-hacked to reflect that the new system as a success (because there’s internal pressure to make it look good) this turning-security-into-press-releases would have collateral of making accountability overall worse.

    But you know what would be even better for security?

    While we’re at it we could add the tropes of removing network connectivity, or switch to using clay tablets kept in a wooden box guarded by a vengeful god. Both of those would be more secure, too.

    Users should be allowed to do insecure things with their devices

    100% agree with you here - it’s fundamentally the principle of “Your liberty to swing your fist ends just where my nose begins”. Users should be given the tools and freedom to do as they want with their property - up until it affects another person or their property in an unwanted way.